Authenticating SBOMs

Notarizing and Authenticating Software Bills of Materials (SBOMs) with Trustcenter #

When a Software Bill of Materials (SBOM) is notarized by vcn for a container image, codebase, or other build artifact, that asset’s entire manifest of dependencies is also notarized and they are immutably associated with one another.

This process creates a chain of custody for the asset and its dependencies, allowing you to check the integrity of the asset, track which artifacts are deployed on your infrastructure, and ensure untrusted dependencies never reach production.

Resolving dependencies with vcn #

You can use the vcn bom command to collect and display an artifact’s manifest of dependencies:

vcn bom <artifact>
Example: vcn bom

Example command:

vcn bom image://python:3.10-alpine

Output:

:	alpine-baselayout-data@3.2.0-r22
:	musl@1.2.3-r0
:	busybox@1.35.0-r17
:	alpine-baselayout@3.2.0-r22
:	alpine-keys@2.4-r1
:	ca-certificates-bundle@20220614-r0
:	libcrypto1.1@1.1.1q-r0
:	libssl1.1@1.1.1q-r0
:	ssl_client@1.35.0-r17
:	zlib@1.2.12-r3
:	apk-tools@2.12.9-r3
:	scanelf@1.3.4-r0
:	musl-utils@1.2.3-r0
:	libc-utils@0.7.2-r3
:	ca-certificates@20220614-r0
:	tzdata@2022a-r0
:	ncurses-terminfo-base@6.3_p20220521-r0
:	ncurses-libs@6.3_p20220521-r0
:	libbz2@1.0.8-r1
:	sqlite-libs@3.38.5-r0
:	libffi@3.4.2-r1
:	gdbm@1.23-r0
:	xz-libs@5.2.5-r1
:	expat@2.4.8-r0
:	libintl@0.21-r2
:	libtirpc-conf@1.3.2-r1
:	krb5-conf@1.0-r2
:	libcom_err@1.46.5-r0
:	keyutils-libs@1.6.3-r1
:	libverto@0.3.2-r0
:	krb5-libs@1.19.3-r0
:	libtirpc@1.3.2-r1
:	libnsl@2.0.0-r0
:	libuuid@2.38-r1
:	readline@8.1.2-r0
:	.python-rundeps@20220907.224335

Notarizing an artifact’s bill of materials #

You can make use of a bill of materials by notarizing it together with the artifact, using the vcn notarize command and the --bom flag:

vcn notarize --bom <artifact>

# Short form of command:
vcn n --bom <artifact>

Authenticating an artifact’s bill of materials #

After an artifact has been notarized with its bill of materials, you can authenticate the artifact and its dependencies, using the vcn authenticate command and the --bom flag:

vcn authenticate --bom <artifact>

# Short form of command:
vcn a --bom <artifact>